1. Field of the Invention
The present invention is generally related to data network traffic filtering and security and, in particular, to a system and methods of selectively controlling network data traffic originating from and directed to virtualized computer systems.
2. Description of the Related Art
Computer system virtualization architectures enable direct realization of a broad variety practical benefits in the implementation and management of computer systems, including both client and server-based systems. A virtualization architecture is generally defined by the ability to concurrently support multiple operating system environments on a single physical computer system hardware platform. Each operating system environment, typically referred to as a virtual machine, logically encapsulates a separate instance of an operating system and defines an execution space within which the operating system manages the execution of programs including user and server level applications.
As conventionally implemented, each virtual machine presents a local operating system instance with an emulated hardware platform, thereby allowing execution of a standard operating system without requiring modifications specifically to enable virtualization. The multiple virtual machines are, in turn, cooperatively managed and supported within a virtualization framework. A primary task of the virtualization framework is to coordinate and maintain the integrity of shared access to the various physical hardware platform components. A predominant vendor of computer virtualization systems is VMware, Inc., Palo Alto, Calif.
A principal advantage embodied by virtualization architectures is the ability to establish and enforce isolation between the multiple virtual machines that are concurrently hosted on a single, physical computer system. Programs executed in one virtual machine are essentially unaffected by and, conversely, essentially unable to affect the execution of programs in other virtual machines. This isolation enables the virtual machines to encapsulate and execute a different operating systems, whether based on type, such as Windows7 and Linux7, specific OS variant, such as WindowsXPJ or RedHat7 Linux, or OS version, such as may be distinguished by patch level, of an operating system. Even where virtual machines are used to run instances of the same operating system, different environment configurations can be implemented as needed to support different application versions, such as, for example, production use and ongoing development versions, and different tasks, such as for work and personal use.
Although the benefits of virtualization architectures are substantial, execution of multiple virtual machines on a single physical computer system adds certain complexities to existing management issues, including in particular security concerns. One added complexity arises from the need to provide appropriate security constraints between the applications running within the virtual machines, a host operating system if present, and the connected network environment. In a typical use scenario, a physical computer system may rely on an external firewall system, as typically implemented in a corporate or hosted provider network environment, to selectively filter network traffic to and from the physical computer system. Firewall system architectures are conventionally well-known as implementing various stateful and stateless network packet processing functions to selectively control the network traffic passed through the firewall system. The packet processing functions typically include discrete packet filtering, such as can be performed by the open source IPTables and IPChains software packages, and aggregated content packet filtering, as can be performed by various spam filter applications, all conventionally referred to generally as packet filtering.
In other typical use scenarios, the physical computer system may be used in a generally untrusted network environment. Typically, notebook and other mobile computer systems cannot presume external network protection. Equally, home computer systems must be guarded, particularly where a user has nominally verifiable rights to access a protected, typically corporate, network. In these cases, the conventional solution is to implement a client firewall application, based on open source packet filtering packages or proprietary packet filtering analogues, on the physical computer system. Doing so, however, increases the installation and management burden of the user and may degrade, to some potentially significant degree, the performance of the physical computer system. For devices that cannot support local execution of a firewall package, a hardware-based client firewall appliance is required.
In the case of a virtualization architecture, the presence of multiple virtual machines creates a security concern for network-based transactions between virtual machines and, in a host-based virtualization framework configuration, between the virtual machines and the underlying host operating system. In a hosted virtual machine configuration, the virtualization framework is executed in conjunction with a conventional host platform operating system. In an alternate virtualization architecture variant, a dedicated kernel can be implemented to directly support the virtualization framework. In both cases, a platform firewall application can be implemented as part of the host or dedicated kernel network stack to protect the physical computer system as a single entity. Although execution of programs within the virtual machines are isolated from one another and from the host operating system, the virtual machines can share a virtualization framework-based network connection that may not be secured by a platform firewall application. The shared network connection may be established at a level above the effective operation of platform firewall application. In such instances, a firewall failure, or worse, an active compromise of the firewall, exposes all of the virtual machines to the inherent security risk. Even where the platform firewall application functions correctly, if a security breach, whether intentional or caused by the inadvertent execution of malware, arises from activity within one of the virtual machines, or from within the host operating system environment, the platform firewall application is unable to prevent the breach from freely spreading between the virtual machines and the host. The platform firewall application provides even less functional protection where the virtualization framework connects below the connection point of the platform firewall application to the platform network stack.
The conventional solutions include only implementing the single platform firewall and accepting the further risk of internal sources of security breaches. This has the benefit of incurring no more than the ordinary and expected management burden of implementing a firewall for the computer system as a single entity. This solution, however, has the negative affect of imposing a uniform performance penalty on all of the virtual machines independent of the actual network usage by the different virtual machines. An alternate solution is to additionally install and execute a firewall applications individually in the virtual machines. While this will improve the security protection of the discrete virtual machines, as well as better distribute the firewall performance load based on actual network usage, the increased burden of coordinating and maintaining multiple independent security profiles is both substantial and likely error prone. Without suitable oversight of the firewall configuration on each of the virtual machines, inadvertent and unexpected security exposures can be created that compromise not only the security of an individual virtual machine or the host operating system, but of the entire platform.
Consequently, there is a distinct need for a network traffic management system capable of performing firewall operations securely for multiple virtual machines and host operating system, if present, within a common virtualization framework.